Security is hard, but we can’t go shopping
André Arko • Koto-ku, Tokyo, Japan • Talk

Date: May 31, 2013
Published: June 17, 2013
Announced: unknown

The last few months have been pretty brutal for anyone who depends on Ruby libraries in production. Ruby is really popular now, and that’s exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Only the Ruby and Rails core teams have meaningful experience with vulnerabilites so far. It won’t last. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay in high demand. Using Bundler’s first CVE as a case study, I’ll explain responsible disclosure for bugs you find, and repsonsible ownership of your own code. Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

RubyKaigi 2013